Thycotic’s Cyber Security Publication

Privileged Password 101: What exactly is it?

December 15th, 2017

As the total universe of passwords will likely grow to more than 300 billion by 2020, people and organizations across the world face a massively growing cyber security risk from hacked or compromised user and privileged accounts—sometimes a single password being the only security control preventing cyber criminals from gaining access to the victim’s sensitive information.

Apple’s face ID has already been hacked using a 3D printed mask

With the recent release of Apple’s Face ID on the latest version of the iPhone X, and with visionaries predicting that biometrics will replace passwords, the reality so far is simply NO, this is not so, and not even anytime soon. Apple’s Face ID has already been compromised using a 3D printed mask, so it’s important you’re not too quick to abandon password security best practices.

Biometrics should NEVER be the only security control that is protecting your sensitive information or financial accounts.

Biometric security controls, like fingerprint, voice or facial recognition, should always be complemented by another factor like a pin or passphrase. Biometric information can be compromised, so something that is not linked to biometrics should always be used as an additional authentication method.

These technologies help provide a people-centric and human-friendly approach to cyber security, but they still come with risks and it is always important to mitigate or reduce the risks. The biggest problem with biometrics is that when they are compromised you cannot change them. It’s like a hard-coded password—a bad idea in today’s security world. Biometric security control should be combined with something that can easily be changed to ensure that your sensitive information remains secured.

So, let’s get back to basics with Privileged Password Management 101

First, what is a Password (aka Passphrase or Secret)?

A password, also commonly known as a secret, a passphrase, or if only numeric—a PIN. A Memorized secret authenticator is a secret value intended to be chosen and memorized by the user. Memorized secrets need to be of sufficient complexity and secrecy that it would be impractical for an attacker to guess or otherwise discover the correct secret value. A memorized secret is something you know.

2-Factor Authentication (2FA) or Multi-Factor Authentication (MFA)

A password is a single factor of authentication. The type of account or information the password is protecting should be the deciding factor as to whether or not you should add additional security controls.

If the account is protecting and securing financial information, administrator access, or very sensitive information, then stronger security controls should be added, like 2FA or MFA. These must be used in conjunction with the password to gain access. For email or privileged accounts 2FA should always be used in conjunction with a password.

Strength and Length

How do you create a strong password, and is it’s length important? The strength of a password comes down to how easily someone can guess your password using brute force or cracking attacks.

The problem has always been that people use passwords they can easily remember by choosing some unusual dictionary word or topic of interest. They think that its rarity will be enough to protect them. But hackers use techniques that make guessing these types of passwords easy. So when creating a password, make it something unique—preferably a combination of multiple words—and it must always be something that only you know, and no one can easily guess.

As for the length of your password, the mathematical algorithms are stronger when your password exceeds 8 characters.

Complexity and Cyber Fatigue

If you have many accounts and passwords, opting to use a password manager makes securing and managing your accounts easier. A password manager helps track the age of each password, lets you know what additional security controls have been applied, and helps generate complex passwords for all your accounts so you won’t have to type or remember them. You only need to remember one strong password, which reduces your cyber fatigue and makes your life easier—and more secure.

Even when using a password manager, password best practices still apply

While a password manager will help you, do remember that best practices still apply when creating account passwords. You can use passphrases, which are a combination of words that you know and only a few special characters like ?%&@!). A long, strong passphrase combined with 2FA is tough to crack.

Use Encryption, and Trust No One

Your passwords must be stored at rest using encryption, never in clear text. And if you’re using a password protected file like a spreadsheet, stop immediately. Storing passwords in a spreadsheet is not a good practice. Trust no one with your passwords. If you need to share access with someone then provide them with a one-time password that they can use just once. When they are finished they can no longer reuse the password to gain access and must again request access.

Password Age and Disclosure

This is a bit of a debate, but here are my recommendations. Depending on the sensitivity of the account and the importance of the data being secured by the password, set a regular rotation cycle for the password. Do not wait to be informed of a breach—by then it is already too late. Sometimes the breach is already months old, or in some incidents, years.

The best practice for systems passwords is to rotate the password as frequently as required. This can be done automatically. For human passwords the time frame can be longer, but I recommend between 6 and 9 months.

Changing a password can serve as a trigger to locating a compromised account, as typically, it should alert you to failed logon attempts after the password has been changed. If a system password has been used, aka disclosed, then once the activity is complete rotate the password. Password disclosure should be kept to as few passwords as possible to reduce the risks.

Use a Privileged Password Management Solution

Using a privileged password management tool you can create, share, and automatically change enterprise passwords. You can assign user permissions at any level, and track password usage with full audit reports. PAM—privileged account management—can also be used to improve insights into vulnerability assessments, IT network inventory scanning, virtual environment security, identity governance and administration, and behavior analytics. By paying special attention to privileged account security, you can enhance all your cyber security efforts, helping to safeguard your organization in the most efficient and effective way possible.

By implementing a comprehensive plan for PAM security, you can protect your organization from cyber threats. Limiting access to privileged accounts makes the hacker’s job far more difficult—and your organization a lot more secure.

The Don’ts of Password Management 101:

For many years companies have been following password best practices that have not worked well, so here are the ones to get rid off when updating your policies.

Password Composition Rules are gone:

This is history: “Please use a password different from the last 1000 passwords, it must contain 10 numbers, 4 upper case letters, 5 lower case letters, 3 symbols, etc.”

Password Hints are gone:

Password hints never worked in the first place; people just put the password in the hint field.

Joseph Carson

Joseph Carson has over 25 years' experience in enterprise security, is the author of "Privileged Account Management for Dummies" and "Cybersecurity for Dummies", and is a cyber security professional and ethical hacker. Joseph is a cyber security advisor to several governments, critical infrastructure, financial and transportation industries, speaking at conferences globally. Joseph serves as the Chief Security Scientist at Thycotic.